Tricks To Bypass Device Control Protection Solutions

Advertisement

Preface

As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantec products.

But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.

Bypass

OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.

In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.

In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)

As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.

For the hardware part, the wiring of the Teensy and the SD card adaptor is the same as I showed in the post on Making a USB flash drive HW Trojan or in the Binary deployment with VBScript, PowerShell or .Net csc.exe compiler post, so I will not copy it here again.

I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then  impersonates that devices with the VID/PID.

Mitigation

Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)

Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.

Conclusion

Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)

But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow  those to be plugged in, you are doing it right ;)

Related news

1. Hack Tool Apk No Root
2. Hacking Tools Download
3. Hacking Tools Usb
4. What Are Hacking Tools
5. Hacking Tools Windows
6. Hack Tool Apk
7. Pentest Box Tools Download
8. Pentest Tools Url Fuzzer
9. Pentest Tools Open Source
10. Hacking Tools 2019
11. Hacker Search Tools
12. New Hack Tools
13. Hack Tools
14. Hackrf Tools
15. Best Hacking Tools 2020
16. Hacker Tools
17. Hacking Tools Usb
18. Hacker
19. Tools For Hacker
20. Hacking Tools For Beginners
21. Hacking Tools 2020
22. Pentest Tools For Windows
23. Growth Hacker Tools
24. Nsa Hacker Tools
25. Hacking Tools Software
26. Pentest Tools Github
27. Hacker Tools Windows
28. Hak5 Tools
29. Pentest Tools
30. How To Hack
31. Pentest Automation Tools
32. Github Hacking Tools
33. Pentest Recon Tools
34. Hacking Tools For Kali Linux
35. Kik Hack Tools
36. Hack Tools
37. Android Hack Tools Github
38. Hacker Tools For Mac
39. Hacking Tools For Beginners
40. Hacker
41. Hacker Search Tools
42. Computer Hacker
43. Hack Tools Mac
44. Hack And Tools
45. Wifi Hacker Tools For Windows
46. Hacking Tools
47. Best Hacking Tools 2019
48. Pentest Tools Download
49. Hacker Tools 2019
50. Physical Pentest Tools
51. Hacking Tools And Software
52. Hacking Tools 2020
53. Pentest Tools For Ubuntu
54. Hacker Tools For Mac
55. How To Make Hacking Tools
56. Hack Tool Apk No Root
57. New Hacker Tools
58. Tools 4 Hack
59. Pentest Tools Nmap
60. Pentest Tools Review
61. Termux Hacking Tools 2019
62. Hak5 Tools
63. Pentest Tools Subdomain
64. Hack Tools
65. Hacker Tools For Ios
66. Pentest Tools Windows
67. Hacking Tools Usb
68. Hacking Tools Software
69. Pentest Tools Download
70. Pentest Tools Android
71. Hacker Tools For Mac
72. Tools Used For Hacking
73. Pentest Tools Github
74. Hack Rom Tools
75. Pentest Recon Tools
76. Hackers Toolbox
77. Pentest Tools Windows
78. Hacker Tools Windows
79. Pentest Tools For Android
80. Hacking Tools
81. How To Install Pentest Tools In Ubuntu
82. What Are Hacking Tools
83. Nsa Hacker Tools
84. Best Pentesting Tools 2018
85. Hak5 Tools
86. Hacker Tools Free
87. Hacking Tools
88. Pentest Tools Find Subdomains
89. Best Hacking Tools 2019
90. Best Hacking Tools 2019
91. Hacker Tools For Ios
92. How To Install Pentest Tools In Ubuntu
93. Hacker Tools For Mac
94. Nsa Hack Tools
95. Hacking Tools 2020
96. Hackers Toolbox
97. Hacking Tools Windows
98. Termux Hacking Tools 2019
99. Tools For Hacker
100. World No 1 Hacker Software
101. Hacking Tools For Windows
102. Tools 4 Hack
103. How To Make Hacking Tools
104. Growth Hacker Tools
105. Pentest Tools For Android
106. Hack Tools
107. Pentest Tools Framework
108. Hacking Tools Usb
109. Bluetooth Hacking Tools Kali
110. Wifi Hacker Tools For Windows
111. Hacker Tools For Pc
112. Hacking Tools Pc
113. Hacker Tools Windows
114. Hacking Apps
115. Pentest Tools Subdomain
116. Termux Hacking Tools 2019
117. Pentest Tools List
118. Pentest Box Tools Download
119. Hacking Tools And Software
120. Hacking Tools For Pc
121. Hacking Tools Download
122. Hacking Tools
123. Hacker Security Tools
124. Hacker Search Tools
125. Hacking Tools Hardware
126. Hacker Tools Free
127. Hacker Tools Github
128. Install Pentest Tools Ubuntu
129. Pentest Tools Bluekeep
130. Pentest Tools Online
131. Hack Tools For Games
132. Hacking Tools 2019
133. Hacking Apps
134. Pentest Box Tools Download
135. Easy Hack Tools
136. Free Pentest Tools For Windows
137. Hacker Tools Linux
138. Tools Used For Hacking
139. Pentest Tools Find Subdomains
140. Pentest Tools Framework
141. Hacker
142. Black Hat Hacker Tools
143. Tools For Hacker
144. Hacker Tools Hardware
145. Hacker Hardware Tools
146. Tools For Hacker
147. Pentest Tools Android
148. Hack Tool Apk No Root
149. Hacking Tools And Software
150. Hack Tools Pc
151. New Hack Tools
152. Blackhat Hacker Tools
153. Hacking Tools And Software
154. Hack Tools 2019
155. How To Make Hacking Tools
156. Hack Tools For Windows
157. Top Pentest Tools
158. Hacking Tools Usb
159. Pentest Tools Website Vulnerability
160. New Hacker Tools
161. Hacking Tools Usb
162. Pentest Tools Find Subdomains
163. Hacker Tool Kit